PreToolUse hook does not prevent tool execution — fires after the fact
Summary
A PreToolUse hook configured to block a specific Bash command (in this case, sed) did not prevent the command from running. The hook fired and blocked agent continuation, but the tool had already executed and caused the side effect it was meant to prevent.
Expected behavior
A PreToolUse hook should act as a gate: if the hook returns a deny decision or non-zero exit, the tool must not run. The name "PreToolUse" implies the hook fires before the tool executes.
Actual behavior
The Bash tool ran and completed (executing sed -i on a file). Only after execution did the hook fire, blocking further agent continuation. The file was modified before the hook had any effect.
Hook configuration
The hook is configured in ~/.claude/settings.json as a PreToolUse hook on the Bash tool. It inspects the command for sed usage and returns a deny decision.
Impact
The hook exists specifically because sed was used in a prior session to destroy a file with no backup. The PreToolUse hook is the mechanical enforcement meant to prevent recurrence. If it doesn't fire before execution, it provides no protection — only a post-mortem.
Repro
- Configure a
PreToolUsehook on the Bash tool that denies commands matching a specific pattern (e.g., containingsed) - Ask Claude to run a Bash command matching that pattern via SSH (
ssh host "sed -i ...") - Observe: the command executes and completes, then the hook fires
Notes
It's possible the hook fires correctly for local commands but the SSH wrapper causes it to be evaluated after the subprocess is already running. Either way, the contract is broken.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗